Overview

overview

10

Static

static

8f236ac211...56.exe

windows7_x64

10

8f236ac211...56.exe

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    24-01-2022 05:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8f236ac211c340f43568e545f40c31b5feed78bdf178f13abe498a1f24557d56.exe

  • Size

    2.8MB

  • MD5

    4cf6cc9fafde5d516be35f73615d3f00

  • SHA1

    f4b9c366a50fa20013d70730f9e260534e59a846

  • SHA256

    8f236ac211c340f43568e545f40c31b5feed78bdf178f13abe498a1f24557d56

  • SHA512

    f9670cbda474606b17302fab11dc5e5fff1ecf1414454f30293a5650e4e4458d6f687e642f4f8b5c154b5619382fd06a043517ffc5d1ffc0d5344fc3b3763a05

Score
10/10
banloadbootkitdownloaderdropperevasionpersistencetrojan

Malware Config

Signatures

  • Banload

    Banload variants download malicious files, then install and execute the files.

    trojandropperdownloaderbanload
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Modifies registry class 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8f236ac211c340f43568e545f40c31b5feed78bdf178f13abe498a1f24557d56.exe
    "C:\Users\Admin\AppData\Local\Temp\8f236ac211c340f43568e545f40c31b5feed78bdf178f13abe498a1f24557d56.exe"
    1⤵
    • Checks BIOS information in registry
    • Writes to the Master Boot Record (MBR)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1212-54-0x0000000076001000-0x0000000076003000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1212-55-0x00000000026B0000-0x00000000028BC000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/1212-59-0x0000000000400000-0x000000000086F000-memory.dmp
    Filesize

    4.4MB

    Download
  • memory/1212-60-0x0000000000400000-0x000000000086F000-memory.dmp
    Filesize

    4.4MB

    Download
  • memory/1212-61-0x0000000000400000-0x000000000086F000-memory.dmp
    Filesize

    4.4MB

    Download
  • memory/1212-62-0x0000000003600000-0x00000000036BA000-memory.dmp
    Filesize

    744KB

    Download